Jim Shi <hj...@yahoo.com> writes: > Hi, I have question regarding client IP address checking in KDC. Is > that true that by default tickets issued by KDC is not bound to any > client IP address. Also KDC server does not check IP if the ticket does > not have any client IP address in it.
> Do we have to explicitly turn on the client IP address checking on KDC? > How to do it? Thank you very much. I am dubious that IP address checking is a meaningful security measure. My recommendation would be to forget that it exists and not rely on it for your security model. You're correct that the default value of the noaddresses configuration option is true, largely because address-locked tickets tend to cause tons of problems in modern network environments that often involve NAT. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
